<p>Having a permissive Cross-Origin Resource Sharing policy is security-sensitive. It has led in the past to the following vulnerabilities:</p>
<ul>
  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2018-0269">CVE-2018-0269</a> </li>
  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2017-14460">CVE-2017-14460</a> </li>
</ul>
<p><a href="https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy">Same origin policy</a> in browsers prevents, by default and for
security-reasons, a javascript frontend to perform a cross-origin HTTP request to a resource that has a different origin (domain, protocol, or port)
from its own. The requested target can append additional HTTP headers in response, called <a
href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS">CORS</a>, that act like directives for the browser and change the access control policy
/ relax the same origin policy.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> You don’t trust the origin specified, example: <code>Access-Control-Allow-Origin: untrustedwebsite.com</code>. </li>
  <li> Access control policy is entirely disabled: <code>Access-Control-Allow-Origin: *</code> </li>
  <li> Your access control policy is dynamically defined by a user-controlled input like <a
  href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin"><code>origin</code></a> header. </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<ul>
  <li> The <code>Access-Control-Allow-Origin</code> header should be set only for a trusted origin and for specific resources. </li>
  <li> Allow only selected, trusted domains in the <code>Access-Control-Allow-Origin</code> header. Prefer whitelisting domains over blacklisting or
  allowing any domain (do not use * wildcard nor blindly return the <code>Origin</code> header content without any checks). </li>
</ul>
<h2>Sensitive Code Example</h2>
<p><a href="https://nodejs.org/api/http.html">nodejs http</a> built-in module:</p>
<pre>
const http = require('http');
const srv = http.createServer((req, res) =&gt; {
  res.writeHead(200, { 'Access-Control-Allow-Origin': '*' }); // Sensitive
  res.end('ok');
});
srv.listen(3000);
</pre>
<p><a href="https://www.npmjs.com/package/express">Express.js</a> framework with <a href="https://www.npmjs.com/package/cors">cors middleware</a>:</p>
<pre>
const cors = require('cors');

let app1 = express();
app1.use(cors()); // Sensitive: by default origin is set to *

let corsOptions = {
  origin: '*' // Sensitive
};

let app2 = express();
app2.use(cors(corsOptions));
</pre>
<p>User-controlled origin:</p>
<pre>
function (req, res) {
  const origin = req.headers.origin;
  res.setHeader('Access-Control-Allow-Origin', origin); // Sensitive
};
</pre>
<h2>Compliant Solution</h2>
<p><a href="https://nodejs.org/api/http.html">nodejs http</a> built-in module:</p>
<pre>
const http = require('http');
const srv = http.createServer((req, res) =&gt; {
  res.writeHead(200, { 'Access-Control-Allow-Origin': 'trustedwebsite.com' }); // Compliant
  res.end('ok');
});
srv.listen(3000);
</pre>
<p><a href="https://www.npmjs.com/package/express">Express.js</a> framework with <a href="https://www.npmjs.com/package/cors">cors middleware</a>:</p>
<pre>
const cors = require('cors');

let corsOptions = {
  origin: 'trustedwebsite.com' // Compliant
};

let app = express();
app.use(cors(corsOptions));
</pre>
<p>User-controlled origin validated with an allow-list:</p>
<pre>
function (req, res) {
  const origin = req.headers.origin;

  if (origin === 'trustedwebsite.com') {
    res.setHeader('Access-Control-Allow-Origin', origin);
  }
};
</pre>
<h2>See</h2>
<ul>
  <li> OWASP - <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">Top 10 2021 Category A5 - Security Misconfiguration</a> </li>
  <li> OWASP - <a href="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/">Top 10 2021 Category A7 - Identification and
  Authentication Failures</a> </li>
  <li> <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS">developer.mozilla.org</a> - CORS </li>
  <li> <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy">developer.mozilla.org</a> - Same origin policy </li>
  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">Top 10 2017 Category A6 - Security
  Misconfiguration</a> </li>
  <li> <a href="https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#cross-origin-resource-sharing">OWASP HTML5 Security
  Cheat Sheet</a> - Cross Origin Resource Sharing </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/346">CWE-346 - Origin Validation Error</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/942">CWE-942 - Overly Permissive Cross-domain Whitelist</a> </li>
</ul>
